Jérôme Segura, a senior security researcher with Malwarebytes, reported in a blog post this week that in late February, Norfolk General Hospital's website was observed pushing ransomware called Teslacrypt to computers that visited the website.

Teslacrypt locks your files and makes them inaccessible using encryption, then demands a ransom of $500 US to restore access.

Drive-by download

The file was served in a "drive-by download" attack, Segura said, meaning you don't have to click on anything on the page.

"You just go to the site that's compromised, and within a few seconds, malware is downloaded onto your computer and that's it," he told CBC News.

In this case, visitors to the site would have included patients, their families and staff who accessed a staff portal with schedules and an internal directory via the website.

Security researcher Jerome Segura says hospitals are, in many ways, the 'perfect victim' for cyberattacks: 'Their systems are out of date, they have a lot of confidential information and patient files. If those get locked up, they can't just ignore it.' (Getty Images)

Visiting Windows computers would have been vulnerable if they were running Internet Explorer or older versions of the Adobe Flash or Microsoft Silverlight players.

Segura said hospitals are in many ways the "perfect victim" for cyberattacks. "Their systems are out of date, they have a lot of confidential information and patient files. If those get locked up, they can't just ignore it."

Segura said Malwarebytes detected an attack from the Norfolk General Hospital website via a user of Malwarebytes anti-exploit software. The free software detects and blocks web-based attacks, then sends a report back to Malwarebytes.

The attack caught Segura's eye because he's based in Canada and the attack came from a site with a .ca domain name.

Outdated software

He set up a virtual machine, used it to visit the hospital's website himself, and recorded the attack, confirming that it originated from malware on the website itself.

It appeared that the site was running a very outdated version of the web content management software Joomla. The old software contains a lot of security vulnerabilities that cybercriminals had apparently exploited in order to hide malware in the website's source code.

Security researcher Jerome Segura set up a virtual machine, used it to visit Norfolk General Hospital's website, and recorded the attack, confirming that it originated from malware on the website itself. (Malwarebytes)

Segura contacted the hospital with his findings multiple times, but didn't hear back for two weeks.

During that time, he said, "a lot more people may have visited the site."

He also thinks the site may have been serving malware for some time before Malwarebytes detected it. Simcoe, Ont., has a population of just 14,777, so the chance of a Malwarebytes software user visiting the site is relatively small.

Dennis Saunders, the IT lead and systems administrator for the Norfolk General Hospital, said he didn't get back to Segura initially because Segura's first email sounded like a sales pitch, and his web hosting company, Kwic Internet, thought the second email was a phishing attempt by cybercriminals.

Saunders said the hospital first got a report of ransomware on a hospital computer on Feb. 22, four days before Segura's first attempt to contact the hospital.

Security breach

Saunders asked Kwic Internet to have a look. It confirmed that there had been a "security breach" and replaced some files that appeared to have been compromised, he said.

Saunders requested more details after hearing from Segura, and was told the hospital website had been redirecting visitors to other sites that host malware, but there was nothing on the hospital's website itself.

'If they don't update it quickly, it will happen again.'– JérômeSegura, Malwarebytes

Jim Carroll, business developer for Kwik Internet, told CBC News that his company does nothing but host the site.

"It's usually the website developer that would deal with issues of security," he said.

Saunders said the hospital's web software has now been updated by a web developer not affiliated with the hospital or Kwic Internet.

In the end, three hospital computers were infected with ransomware, but the hospital doesn't believe its own website was the source. The infected computers were restored from backups and no ransom was paid.

Saunders added that staff and the public were not notified about the situation because "it was addressed quickly, so there wasn't a concern for staff."

Segura confirmed that as of this week, the hospital site appears to be clean of malware, but both his own research and independent sites such as Sucuri sitecheck confirmed that the website was still using an old and vulnerable version of Joomla. In fact, he said, the Joomla version that the site is running is even older than the previous version, suggesting that the problem had been fixed by rolling the site back to an earlier version.

"If they don't update it quickly, it will happen again," he said, adding that leaving the website in an outdated state is "just very irresponsible."

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Note: The CBC does not necessarily endorse any of the views posted. By submitting your comments, you acknowledge that CBC has the right to reproduce, broadcast and publicize those comments or any part thereof in any manner whatsoever. Please note that comments are moderated and published according to our submission guidelines.